.text:00000CBCleaeax,(aWhat?TheMonaLi-4000h)[ebx]; "What? The Mona Lisa!\nLook, if you want"...

.text:00000CC2pusheax; s

.text:00000CC3call_puts

.text:00000CC8addesp,4

.text:00000CCBpush30h; nbytes

.text:00000CCDleaeax,[ebp+s]

.text:00000CD0pusheax; buf

.text:00000CD1push0; fd

.text:00000CD3call_read

.text:00000CD8addesp,0Ch

.text:00000CDBleaeax,(inp-4000h)[ebx]

.text:00000CE1leaedx,[ebp+s]

.text:00000CE4mov[eax],edx

.text:00000CE6push0; oflag

.text:00000CE8leaeax,(a_Password-4000h)[ebx]; "./password"

.text:00000CEEpusheax; file

.text:00000CEFcall_open

.text:00000CF4addesp,8

.text:00000CF7movedx,eax

.text:00000CF9leaeax,(pfd-4000h)[ebx]

.text:00000CFFmov[eax],edx

.text:00000D01leaeax,(pass-4000h)[ebx]

.text:00000D07movedx,[eax]

.text:00000D09leaeax,(pfd-4000h)[ebx]

.text:00000D0Fmoveax,[eax]

.text:00000D11push2Bh; nbytes

.text:00000D13pushedx; buf

.text:00000D14pusheax; fd

.text:00000D15call_read

.text:00000D1Aaddesp,0Ch

.text:00000D1DcallcheckPass

.text:00000D22moveax,0

.text:00000D27movebx,[ebp+var_4]

.text:00000D2Aleave

.text:00000D2Bretn

.text:00000D2Bmainendp

The program moves esp to ebp and pushes ebx onto stack which decreases esp by 4. Then, it subtracts 0x30 from esp which makes esp equal to ebp-0x34. Notice that after every call the parameters from the stack are cleared. Therefore, we know that the esp value will remain as ebp-0x34 when we return from the checkPass call. Notice also that the password supplied by the user is stored ebp-0x34, thus we have full control over the stack!

Since we can only change one byte of the return address, we cannot go much further. How about jumping back to the _read call that is located at 0xD15? We know the address of memory where the real password is stored and we have full control over the stack. We can simply call _read such that it reads an input from stdin and writes it to the address of the password. After that, the checkPass will be called and since we have entered the both passwords, they will match. Finally, lisa will be called and we will get our flag.